Security Services

Security Overview:

Amazon GuardDuty

  • Incident detection service in AWS that monitors the most important logs in AWS.

  • Can add your own IOC IP addresses to alert on.

    • TA can add their IP address to be ignored in alerts (defense evasion)

GuardDuty collects it logs automatically:

  • AWS CloudTrail logs

  • Amazon Virtual Private Cloud (Amazon VPC) flow logs

  • Amazon Route 53 DNS logs

  • (Optional) EKS Audit logging

  • (Optional) Lambda protection

  • (Optional) Malware protection in storage

  • (Optional) RDS protection

  • (Optional) Runtime protection for ECS and EC2

  • (Optional) S3 protection using S3 logging

Things to know

  • GuardDuty is regional needs to be enabled in each region and in every account you use

  • Use Security Hub to centralize findings

  • Collection of logs is out-of-band and does not interfere with existing configuration

  • Doesn’t work on historical logs only forward in time IR use case

  • GuardDuty is a very good indicator for incidents in AWS

Amazon Inspector

What:

  • Amazon Inspector is a vulnerability management service that continuously scans your AWS workloads for software vulnerabilities and unintended network exposure.

How Inspector automatically scans for vulnerabilities in:

  • EC2 instances works on Windows and Linux

  • Container images in the container registry

  • AWS Lambda functions

  • Uses Amazon Systems Manager (SSM) to perform scanning on instances

  • Scans for vulnerabilities in the operating system as well as the software packages used

  • Lambda scanning also allows for scanning of code for potential vulnerabilities

AWS Detective

Data sources collected for Amazon Detective:

  • AWS CloudTrail logs

  • Amazon Virtual Private Cloud (Amazon VPC) flow logs

  • For accounts that are enrolled in GuardDuty, Detective also ingests GuardDuty findings

  • (Optional) Amazon EKS Audit Logs

  • (Optional) AWS Security findings from Security Hub

AWS Security Hub

AWS Security Lake

Last updated